Social Warfare <= 3.5.2 - Unauthenticated Arbitrary Settings Update



Description
Malicious eval() is being inserted into the wp_options table, in the option_name: social_wafare_settings, in the Twitter field.

When the plugin is active, it causes the site to issue a JavaScript redirect to porn sites.

Deactivating the plugin disables the redirect, but the malicious eval() is still in the database.

The plugin has been pulled from the WordPress repository.

https://wordpress.org/support/topic/malware-into-new-update/

So far we have seen this exploited on live sites running 3.5.1 and 3.5.2.

Affects Plugin

fixed in version 3.5.3

References

CVE 2019-9978
URL https://wordpress.org/support/topic/malware-into-new-update/
URL https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/
URL https://threatpost.com/wordpress-plugin-removed-after-zero-day-discovered/143051/
URL https://twitter.com/warfareplugins/status/1108826025188909057
URL https://www.wordfence.com/blog/2019/03/recent-social-warfare-vulnerability-allowed-remote-code-execution/

Classification

Type BYPASS

Miscellaneous

Submitter Andrew Wilder
Submitter Website https://www.nerdpress.net
Submitter Twitter @nerdpress
Views 3346
Verified No
WPVDB ID 9238

Timeline

Publicly Published 2019-03-21 (about 1 month ago)
Added 2019-03-21 (about 1 month ago)
Last Updated 2019-03-27 (29 days ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.